A Guide for First Responders

(1)

U.S. Department of Justice Office of Justice Programs National Institute of Justice

A Guide for

First Responders

(2)

U.S. Department of Justice Office of Justice Programs 810 Seventh Street N.W.

Washington, DC 20531

John Ashcroft Attorney General

Office of Justice Programs National Institute of Justice World Wide Web Site World Wide Web Site http://www.ojp.usdoj.gov http://www.ojp.usdoj.gov/nij

(3)

Electronic Crime Scene

Investigation:

A Guide for First

Responders

Written and Approved by the Technical Working Group for Electronic Crime Scene Investigation

(4)

U.S. Department of Justice

Office of Justice Programs National Institute of Justice

Opinions or points of view expressed in this document represent a consensus of the authors and do not necessarily represent the official position or policies of the U.S. Department of Justice. The products and manufacturers discussed in this document are presented for informational purposes only and do not constitute product approval or endorsement by the U.S. Department of Justice.

NCJ 187736

The National Institute of Justice is a component of the Office of Justice Programs, which also includes the Bureau of Justice Assistance, the Bureau of Justice Statistics, the Office of Juvenile Justice and Delinquency Prevention, and the Office for Victims of Crime.

This document is not intended to create, does not create, and may not be relied upon to create any rights, substantive or procedural, enforceable at law by any party in any mat-ter civil or criminal.

(5)

The Internet, computer networks, and automated data systems present an enormous new opportunity for committing criminal activity. Computers and other electronic devices are being used increasingly to commit, enable, or support crimes perpetrated against persons, organizations, or property. Whether the crime involves attacks against computer systems, the information they contain, or more traditional crimes such as murder, money laun-dering, trafficking, or fraud, electronic evidence increasingly is involved. It is no surprise that law enforcement and criminal jus-tice officials are being overwhelmed by the volume of investiga-tions and prosecuinvestiga-tions that involve electronic evidence.

To assist State and local law enforcement agencies and prosecu-torial offices with the growing volume of electronic crime, a series of reference guides regarding practices, procedures, and decisionmaking processes for investigating electronic crime is being prepared by technical working groups of practitioners and subject matter experts who are knowledgeable about electronic crime. The practitioners and experts are from Federal, State, and local law enforcement agencies; criminal justice agencies; offices of prosecutors and district attorneys general; and academic, com-mercial, and professional organizations.

The series of guides will address the investigation process from the crime scene first responder, to the laboratory, to the court-room. Specifically, the series of guides will address:

◆ Crime scene investigations by first responders.

◆ Examination of digital evidence.

◆ Investigative uses of technology.

◆ Investigating electronic technology crimes.

◆ Creating a digital evidence forensic unit.

◆ Courtroom presentation of digital evidence.

Due to the rapidly changing nature of electronic and computer technologies and of electronic crime, efforts will be periodically undertaken to update the information contained within each of the guides. The guides, and any subsequent updates that are made to them, will be made available on the National Institute of Justice’s World Wide Web site (http://www.ojp.usdoj.gov/nij).

(6)

Technical Working Group for

Electronic Crime Scene

Investigation

The Technical Working Group for Electronic Crime Scene

Investigation (TWGECSI) was a multidisciplinary group of practi-tioners and subject matter experts from across the United States and other nations. Each of the individual participants is experienced in the intricacies involved with electronic evidence in relation to recog-nition, documentation, collection, and packaging. To initiate the working group, a planning panel composed of a limited number of participants was selected to define the scope and breadth of the work. A series of guides was proposed in which each guide will focus on a different aspect of the discipline.

The panel chose crime scene investigation as the first topic for incorporation into a guide.

Planning Panel

TWGECSI

Susan Ballou

Program Manager for Forensic Sciences

Office of Law Enforcement Standards National Institute of Standards and

Technology

Gaithersburg, Maryland

Jaime Carazo

Special Agent

United States Secret Service Electronic Crimes Branch Washington, D.C.

Bill Crane

Assistant Director Computer Crime Section

National White Collar Crime Center Fairmont, West Virginia

Fred Demma

National Law Enforcement and Corrections Technology Center–Northeast Rome, New York

Grant Gottfried

Special Projects

National Center for Forensic Science Orlando, Florida

Sam Guttman

Assistant Inspector in Charge Forensic and Technical Services U.S. Postal Inspection Service Dulles, Virginia

Jeffrey Herig

Special Agent

Florida Department of Law Enforcement

Florida Computer Crime Center Tallahassee, Florida

Tim Hutchison

Sheriff

Knox County Sheriff’s Office Knoxville, Tennessee

David Icove

Manager, Special Projects U.S. TVA Police Knoxville, Tennessee

(7)

Abigail Abraham

Assistant State’s Attorney

Cook County State’s Attorney’s Office Chicago, Illinois Keith Ackerman Head of CID Police HQ Hampshire Constabulary Winchester, Hants United Kingdom Michael Anderson President

New Technologies, Inc Gresham, Oregon

Bill Baugh

CEO

Savannah Technology Group Savannah, Georgia

Bob Jarzen

Sacramento County

Laboratory of Forensic Science Sacramento, California

Tom Johnson

Dean

School of Public Safety and Professional Studies University of New Haven West Haven, Connecticut

Karen Matthews

DOE Computer Forensic Laboratory Bolling AFB Washington, D.C. Mark Pollitt Unit Chief FBI–CART Washington, D.C. David Poole Director

DoD Computer Forensics Laboratory Linthicum, Maryland

Mary Riley

Price Waterhouse Coopers, LLP Washington, D.C.

Kurt Schmid

Director

National HIDTA Program Washington, D.C.

Howard A. Schmidt

Corporate Security Officer Microsoft Corp.

Redmond, Washington

Raemarie Schmidt

Computer Crime Specialist National White Collar Crime Center Computer Crime Section

Fairmont, West Virginia

Carl Selavka

Massachusetts State Police Crime Laboratory

Sudbury, Massachusetts

Steve Sepulveda

United States Secret Service Washington, D.C.

Todd Shipley

Detective Sergeant Reno Police Department Financial/Computer Crimes Unit Reno, Nevada

Chris Stippich

Computer Crime Specialist Computer Crime Section

National White Collar Crime Center Fairmont, West Virginia

Carrie Morgan Whitcomb

Director

National Center for Forensic Science Orlando, Florida

Wayne Williams

Sr. Litigation Counsel

Computer Crime and Intellectual Property Section

Criminal Division U.S. Department of Justice Washington, D.C.

TWGECSI Members

Additional members were then incorporated into TWGECSI to provide a full technical working group. The individuals listed below, along with those participants on the planning panel, worked together to produce this guide for electronic crime scene first responders.

(8)

Randy Bishop

Special Agent in Charge U.S. Department of Energy Office of Inspector General Technology Crime Section Washington, D.C.

Steve Branigan

Vice President of Product Development

Lucent Technologies Murray Hill, New Jersey

Paul Brown

CyberEvidence, Inc. The Woodlands, Texas

Carleton Bryant

Staff Attorney

Christopher Bubb

Deputy Attorney General New Jersey Division of Criminal

Justice

Trenton, New Jersey

Don Buchwald

Project Engineer

National Law Enforcement and Corrections Technology Center–West

The Aerospace Corporation Los Angeles, California

Cheri Carr

Computer Forensic Lab Chief NASA Office of the Inspector General Network and Advanced Technology

Protections Office Washington, D.C.

Nick Cartwright

Manager

Canadian Police Research Centre Ottawa, Ontario

Canada

Ken Citarella

Chief

High Tech Crimes Bureau

Westchester County District Attorney White Plains, New York

Chuck Coe

Director of Technical Services NASA Office of the Inspector General Network and Advanced Technology

Fred Cohen

Sandia National Laboratories Cyber Defender Program Livermore, California

Fred Cotton

Director of Training Services SEARCH

The National Consortium for Justice Information and Statistics Sacramento, California

Tony Crisp

Lieutenant

Maryville Police Department Maryville, Tennessee

Mark Dale

New York State Police Forensic Investigation Center Albany, New York

Claude Davenport

Senior SA

United States Customs Service Sterling, Virginia

David Davies

Photographic Examiner Federal Bureau of Investigation Washington, D.C.

Michael Donhauser

Maryland State Police Columbia, Maryland

James Doyle

Sergeant Detective Bureau

New York City Police Department New York, New York

Michael Duncan

Sergeant

Royal Canadian Mounted Police Economic Crime Branch Technological Crime Section Ottawa, Ontario

Canada

Jim Dunne

Group Supervisor Drug Enforcement Agency St. Louis, Missouri

Chris Duque

Detective

Honolulu Police Department White Collar Crime Unit Honolulu, Hawaii

Doug Elrick

Iowa DCI Crime Lab Des Moines, Iowa

Paul French

Computer Forensics Lab Manager New Technologies Armor, Inc. Gresham, Oregon

(9)

Gerald Friesen

Electronic Search Coordinator Industry Canada

Hull, Quebec Canada

Pat Gilmore, CISSP

Director

Information Security Atomic Tangerine San Francisco, California

Gary Gordon

Professor

Economic Crime Programs Utica College

WetStone Technologies Utica, New York

Dan Henry

Chief Deputy

Marion County Sheriff’s Department Ocala, Florida

Jeff Hormann

Special Agent In Charge

Computer Crime Resident Agency U.S. Army CID

Ft. Belvoir, Virginia Mary Horvath Program Manager FBI–CART Washington, D.C. Mel Joiner Officer

Arizona Department of Public Safety Phoenix, Arizona

Nigel Jones

Detective Sergeant Computer Crime Unit Police Headquarters Kent County Constabulary Maidstone, Kent United Kingdom Jamie Kerr SGT/Project Manager RCMP Headquarters Training Directorate Ottawa, Ontario Canada Alan Kestner

Assistant Attorney General Wisconsin Department of Justice Madison, Wisconsin

Phil Kiracofe

Sergeant

Tallahassee Police Department Tallahassee, Florida Roland Lascola Program Manager FBI-CART Washington, D.C. Barry Leese Detective Sergeant Maryland State Police Computer Crimes Unit Columbia, Maryland

Glenn Lewis

Computer Specialist SEARCH

Chris Malinowski

Forensic Computer Investigation University of New Haven West Haven, Connecticut

Kevin Manson

Director Cybercop.org

St. Simons Island, Georgia

Brenda Maples

Lieutenant

Memphis Police Department Memphis, Tennessee

Tim McAuliffe

New York State Police Forensic Investigation Center Albany, New York

Michael McCartney

Investigator

New York State Attorney General’s Office

Criminal Prosecution Bureau– Organized Crime Task Force Buffalo, New York

Alan McDonald

SSA

Washington, D.C.

Mark Menz

SEARCH

The National Consortium for Justice Information and Statistics Sacramento, California Dave Merkel AOL Investigations Reston, Virginia Bill Moylan Detective Nassau County PD Computer Crime Section Crimes Against Property Squad

(10)

Steve Nesbitt

Director of Operations

NASA Office of the Inspector General Network and Advanced Technology

Glen Nick

Program Manager U.S. Customs Service Cyber Smuggling Center Fairfax, Virginia

Robert O’Leary

Detective

New Jersey State Police High Technology Crimes &

Investigations Support Unit West Trenton, New Jersey

Matt Parsons

Special Agent/Division Chief Naval Criminal Investigative Service Washington, D.C.

Mike Phelan

Chief

Computer Forensics Unit

DEA Special Testing and Research Lab

Lorton, Virginia

Henry R. Reeve

General Counsel/Deputy D.A. Denver District Attorney’s Office Denver, Colorado

Jim Riccardi, Jr.

Electronic Crime Specialist National Law Enforcement and

Corrections Technology Center–Northeast Rome, New York

David Roberts

Deputy Executive Director SEARCH

Leslie Russell

Forensic Science Service Lambeth London, England United Kingdom Greg Schmidt Sr. Investigator EDS-Investigations/Technical Plano, Texas George Sidor

Law Enforcement Security Consultant Jaws Technologies Inc.

St. Albert, Alberta Canada

William Spernow

CISSP

Research Director

Information Security Strategies Group Gartner, Inc.

Suwanee, Georgia

Ronald Stevens

Senior Investigator New York State Police Forensic Investigation Center Albany, New York

Gail Thackeray

Special Counsel–Technology Crimes Arizona Attorney General’s Office Phoenix, Arizona

Dwight Van de Vate

Chief Deputy

Jay Verhorevoort

Lieutenant

Davenport Police Department Davenport, Iowa

Richard Vorder Bruegge

Photographic Examiner Federal Bureau of Investigation Washington, D.C.

Robert B. Wallace

U.S. Department of Energy Germantown, Maryland

Craig Wilson

Detective Sergeant Computer Crime Unit Police Headquarters Kent County Constabulary Maidstone, Kent

United Kingdom

Brian Zwit

Chief Counsel (former)

Environment, Science, and Technology National Association of Attorneys

General Washington, D.C.

(11)

Chronology

In May 1998, the National Cybercrime Training Partnership (NCTP), the Office of Law Enforcement Standards (OLES), and the National Institute of Justice (NIJ) collaborated on possible resources that could be implemented to counter electronic crime. Continuing meetings generated a desire to formulate one set of protocols that would address the process of electronic evidence from the crime scene through court presentations. NIJ selected the technical working group process as the way to achieve this goal but with the intent to create a publication flexible enough to allow implementation with any State and local law enforcement policy. Using its “template for technical working groups,” NIJ established the Technical Working Group for Electronic Crime Scene Investigation (TWGECSI) to identify, define, and establish basic criteria to assist agencies with electronic investigations and prosecutions.

In January 1999, planning panel members met at the National Institute of Standards and Technology (NIST) in Gaithersburg, Maryland, to review the fast-paced arena of electronic crime and prepare the scope, intent, and objectives of the project. During this meeting, the scope was determined to be too vast for incor-poration into one guide. Thus evolved a plan for several guides, each targeting separate issues. Crime scene investigation was selected as the topic for the first guide.

The initial meeting of the full TWGECSI took place March 1999 at NIST. After outlining tasks in a general meeting, the group separated into subgroups to draft the context of the chapters as identified by the planning panel. These chapters were Electronic Devices: Types and Potential Evidence; Investigative Tools and Equipment; Securing and Evaluating the Scene; Documenting the Scene; Evidence Collection; Packaging, Transportation, and Storage; and Forensic Examination by Crime Category. The volume of work involved in preparing the text of these chapters required additional TWGECSI meetings.

The planning panel did not convene again until May 2000. Due to the amount of time that had transpired between meetings, the planning panel reviewed the draft content and compared it with changes that had occurred in the electronic crime environment.

(12)

These revisions to the draft were then sent to the full TWGECSI in anticipation of the next meeting. The full TWGECSI met again at NIST in August 2000, and through 2 days of intense discus-sion, edited most of the draft to represent the current status of electronic crime investigation. With a few more sections requir-ing attention, the plannrequir-ing panel met in Seattle, Washrequir-ington, dur-ing September 2000 to continue the editdur-ing process. These final changes, the glossary, and appendixes were then critiqued and voted on by the whole TWGECSI during the final meeting in November 2000 at NIST.

The final draft was then sent for content and editorial review to more than 80 organizations having expertise and knowledge in the electronic crime environment. The returned comments were evaluated and incorporated into the document when possible. The first chapter, Electronic Devices: Types and Potential Evidence, incorporates photographic representations of highlighted terms as a visual associative guide. At the end of the document are appen-dixes containing a glossary, legal resources, technical resources, training resources, and references, followed by a list of the organ-izations to which a draft copy of the document was sent.

(13)

The National Institute of Justice (NIJ) wishes to thank the members of the Technical Working Group for Electronic Crime Scene Investigation (TWGECSI) for their tireless dedication. There was a constant turnover of individuals involved, mainly as a result of job commitments and career changes. This dynamic environment resulted in a total of 94 individuals supplying their knowledge and expertise to the creation of the guide. All partici-pants were keenly aware of the constant changes occurring in the field of electronics and strove to update information during each respective meeting. This demonstrated the strong desire of the working group to produce a guide that could be flexible and serve as a backbone for future efforts to upgrade the guide. In addition, NIJ offers a sincere thank you to each agency and organization represented by the working group members. The work loss to each agency during the absence of key personnel is evidence of management’s commitment and understanding of the importance of standardization in forensic science.

NIJ also wishes to thank Kathleen Higgins, Director, and Susan Ballou, Program Manager, of the Office of Law Enforcement Standards, for providing management and guidance in bringing the project to completion.

NIJ would like to express appreciation for the input and support that Dr. David G. Boyd, Director of NIJ’s Office of Science and Technology (OS&T), and Trent DePersia, Dr. Ray Downs, Dr. Richard Rau, Saralyn Borrowman, Amon Young, and James McNeil, all of OS&T, gave the meetings and the document. A special thanks is extended to Aspen Systems Corporation, specifi-cally to Michele Coppola, the assigned editor, for her patience and skill in dealing with instantaneous transcription.

In addition, NIJ wishes to thank the law enforcement agencies, academic institutions, and commercial organizations worldwide that supplied contact information, reference materials, and edito-rial suggestions. Particular thanks goes to Michael R. Anderson, President of New Technologies, Inc., for contacting agencies knowledgeable in electronic evidence for inclusion in the appen-dix on technical resources.

(14)

Foreword...iii

Technical Working Group for Electronic Crime Scene Investigation ...v

Acknowledgments ...xiii

Overview ...1

The Law Enforcement Response to Electronic Evidence...1

The Latent Nature of Electronic Evidence ...2

The Forensic Process...2

Introduction ...5

Who Is the Intended Audience for This Guide? ...5

What is Electronic Evidence? ...6

How Is Electronic Evidence Handled at the Crime Scene? ...6

Is Your Agency Prepared to Handle Electronic Evidence? ...7

Chapter 1. Electronic Devices: Types and Potential Evidence ...9

Computer Systems...10

Components...12

Access Control Devices...12

Answering Machines...13

Digital Cameras...13

Handheld Devices (Personal Digital Assistants [PDAs], Electronic Organizers)...14 Hard Drives ...15 Memory Cards...15 Modems ...16 Network Components ...16 Pagers ...18 Printers...18

Removable Storage Devices and Media ...19

Scanners...19

Telephones ...20

Miscellaneous Electronic Items ...20

(15)

Chapter 2. Investigative Tools and Equipment. ...23

Tool Kit ...23

Chapter 3. Securing and Evaluating the Scene ...25

Chapter 4. Documenting the Scene ...27

Chapter 5. Evidence Collection ...29

Nonelectronic Evidence ...29

Stand-Alone and Laptop Computer Evidence ...30

Computers in a Complex Environment ...32

Other Electronic Devices and Peripheral Evidence ...33

Chapter 6. Packaging, Transportation, and Storage ...35

Chapter 7. Forensic Examination by Crime Category ...37

Auction Fraud (Online) ...37

Child Exploitation/Abuse ...37

Computer Intrusion ...38

Death Investigation ...38

Domestic Violence...38

Economic Fraud (Including Online Fraud, Counterfeiting) ....38

E-Mail Threats/Harassment/Stalking ...39 Extortion ...39 Gambling ...39 Identity Theft ...39 Narcotics ...40 Prostitution ...40 Software Piracy ...41 Telecommunications Fraud ...41 Appendix A. Glossary ...47

Appendix B. Legal Resources List ...53

Appendix C. Technical Resources List ...55

Appendix D. Training Resources List ...73

Appendix E. References ...77

(16)

Computers and other electronic devices are present in every aspect of modern life. At one time, a single computer filled an entire room; today, a computer can fit in the palm of your hand. The same technological advances that have helped law enforce-ment are being exploited by criminals.

Computers can be used to commit crime, can contain evidence of crime, and can even be targets of crime. Understanding the role and nature of electronic evidence that might be found, how to process a crime scene containing potential electronic evidence, and how an agency might respond to such situations are crucial issues. This guide represents the collected experience of the law enforcement community, academia, and the private sector in the recognition, collection, and preservation of electronic evidence in a variety of crime scenes.

The Law Enforcement Response to

Electronic Evidence

The law enforcement response to electronic evidence requires that officers, investigators, forensic examiners, and managers all play a role. This document serves as a guide for the first responder. A first responder may be responsible for the recognition, collection, preservation, transportation, and/or storage of electronic evidence. In today’s world, this can include almost everyone in the law enforcement profession. Officers may encounter electronic devices during their day-to-day duties. Investigators may direct the collection of electronic evidence, or may perform the collec-tion themselves. Forensic examiners may provide assistance at crime scenes and will perform examinations on the evidence. Managers have the responsibility of ensuring that personnel under their direction are adequately trained and equipped to properly handle electronic evidence.

Each responder must understand the fragile nature of electronic evidence and the principles and procedures associated with its collection and preservation. Actions that have the potential to alter, damage, or destroy original evidence may be closely scrutinized by the courts.

Over

(17)

Procedures should be in effect that promote electronic crime scene investigation. Managers should determine who will provide particular levels of services and how these services will be fund-ed. Personnel should be provided with initial and ongoing techni-cal training. Oftentimes, certain cases will demand a higher level of expertise, training, or equipment, and managers should have a plan in place regarding how to respond to these cases. The demand for responses to electronic evidence is expected to increase for the foreseeable future. Such services require that dedicated resources be allocated for these purposes.

The Latent Nature of Electronic

Evidence

Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device. As such, electronic evidence is latent evidence in the same sense that fin-gerprints or DNA (deoxyribonucleic acid) evidence are latent. In its natural state, we cannot “see” what is contained in the physical object that holds our evidence. Equipment and software are required to make the evidence visible. Testimony may be required to explain the examination process and any process limitations. Electronic evidence is, by its very nature, fragile. It can be altered, damaged, or destroyed by improper handling or improper examination. For this reason, special precautions should be taken to document, collect, preserve, and examine this type of evidence. Failure to do so may render it unusable or lead to an inaccurate conclusion. This guide suggests methods that will help preserve the integrity of such evidence.

The Forensic Process

The nature of electronic evidence is such that it poses special challenges for its admissibility in court. To meet these challenges, follow proper forensic procedures. These procedures include, but are not limited to, four phases: collection, examination, analysis, and reporting. Although this guide concentrates on the collection phase, the nature of the other three phases and what happens in each are also important to understand.

(18)

The collection phase involves the search for, recognition of, collection of, and documentation of electronic evidence. The collection phase can involve real-time and stored information that may be lost unless precautions are taken at the scene.

The examination process helps to make the evidence visible and explain its origin and significance. This process should accom-plish several things. First, it should document the content and state of the evidence in its totality. Such documentation allows all parties to discover what is contained in the evidence. Included in this process is the search for information that may be hidden or obscured. Once all the information is visible, the process of data reduction can begin, thereby separating the “wheat” from the “chaff.” Given the tremendous amount of information that can be stored on computer storage media, this part of the examination is critical.

Analysis differs from examination in that it looks at the product of the examination for its significance and probative value to the case. Examination is a technical review that is the province of the forensic practitioner, while analysis is performed by the investigative team. In some agencies, the same person or group will perform both these roles.

A written report that outlines the examination process and the pertinent data recovered completes an examination. Examination notes must be preserved for discovery or testimony purposes. An examiner may need to testify about not only the conduct of the examination but also the validity of the procedure and his or her qualifications to conduct the examination.

(19)

This guide is intended for use by law enforcement and other responders who have the responsibility for protecting an electron-ic crime scene and for the recognition, collection, and preserva-tion of electronic evidence. It is not all-inclusive. Rather, it deals with the most common situations encountered with electronic evi-dence. Technology is advancing at such a rapid rate that the sug-gestions in this guide must be examined through the prism of current technology and the practices adjusted as appropriate. It is recognized that all crime scenes are unique and the judgment of the first responder/investigator should be given deference in the implementation of this guide. Furthermore, those responsible offi-cers or support personnel with special training should also adjust their practices as the circumstances (including their level of expe-rience, conditions, and available equipment) warrant. This publi-cation is not intended to address forensic analysis. Circumstances of individual cases and Federal, State, and local laws/rules may require actions other than those described in this guide.

When dealing with electronic evidence, general forensic and procedural principles should be applied:

◆ Actions taken to secure and collect electronic evidence should

not change that evidence.

◆ Persons conducting examination of electronic evidence

should be trained for the purpose.

◆ Activity relating to the seizure, examination, storage, or

transfer of electronic evidence should be fully documented, preserved, and available for review.

Who Is the Intended Audience for

This Guide?

◆ Anyone encountering a crime scene that might contain

electronic evidence.

◆ Anyone processing a crime scene that involves electronic

evidence.

◆ Anyone supervising someone who processes such a crime

scene.

◆ Anyone managing an organization that processes such a

crime scene.

(20)

Without having the necessary skills and training, no responder should attempt to explore the contents or recover data from a computer (e.g., do not touch the keyboard or click the mouse) or other electronic device other than to record what is visible on its display.

What Is Electronic Evidence?

Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device. Such evi-dence is acquired when data or physical items are collected and stored for examination purposes.

Electronic evidence:

◆ Is often latent in the same sense as fingerprints or DNA

evidence.

◆ Can transcend borders with ease and speed.

◆ Is fragile and can be easily altered, damaged, or destroyed.

◆ Is sometimes time-sensitive.

How Is Electronic Evidence Handled at

the Crime Scene?

Precautions must be taken in the collection, preservation, and examination of electronic evidence.

Handling electronic evidence at the crime scene normally consists of the following steps:

◆ Recognition and identification of the evidence.

◆ Documentation of the crime scene.

◆ Collection and preservation of the evidence.

◆ Packaging and transportation of the evidence.

The information in this document assumes that:

◆ The necessary legal authority to search for and seize the

(21)

◆ The crime scene has been secured and documented (photo-graphically and/or by sketch or notes).

◆ Crime scene protective equipment (gloves, etc.) is being

used as necessary.

Note: First responders should use caution when seizing electronic devices. The improper access of data stored in electronic devices may violate provisions of certain Federal laws, including the Electronic Communications Privacy Act. Additional legal process may be necessary. Please consult your local prosecutor before accessing stored data on a device. Because of the fragile nature of electronic evidence, examination should be done by appropriate personnel.

Is Your Agency Prepared to Handle

Electronic Evidence?

This document recommends that every agency identify local com-puter experts before they are needed. These experts should be “on call” for situations that are beyond the technical expertise of the first responder or department. (Similar services are in place for toxic waste emergencies.) It is also recommended that investiga-tive plans be developed in compliance with departmental policy and Federal, State, and local laws. In particular, under the Privacy Protection Act, with certain exceptions, it is unlawful for an agent to search for or seize certain materials possessed by a person rea-sonably believed to have a purpose of disseminating information to the public. For example, seizure of First Amendment materials such as drafts of newsletters or Web pages may implicate the Privacy Protection Act.

This document may help in:

◆ Assessing resources.

◆ Developing procedures.

◆ Assigning roles and tasks.

◆ Considering officer safety.

◆ Identifying and documenting equipment and supplies to

(22)

Electronic Devices: Types and

Potential Evidence

Electronic evidence can be found in many of the new types of electronic devices available to today’s consumers. This chapter displays a wide variety of the types of electronic devices com-monly encountered in crime scenes, provides a general descrip-tion of each type of device, and describes its common uses. In addition, it presents the potential evidence that may be found in each type of equipment.

Many electronic devices contain memory that requires continuous power to maintain the informa-tion, such as a battery or AC power. Data can be easily lost by unplugging the power source or allow-ing the battery to discharge. (Note: After determinallow-ing the mode of collection, collect and store the power supply adaptor or cable, if present, with the recovered device.)

Chapter 1

Printer CPU Location Telephone Diskettes

Monitor

Keyboard

Counterfeit Documents Software

(23)

Computer Systems

Description: A computer system typically consists of a main base unit, sometimes called a central processing unit (CPU), data stor-age devices, a monitor, keyboard, and mouse. It may be a stand-alone or it may be connected to a network. There are many types of computer systems such as laptops, desktops, tower systems, modular rack-mounted systems, minicomputers, and mainframe computers. Additional components include modems, printers, scanners, docking stations, and external data storage devices. For example, a desktop is a computer system consisting of a case, motherboard, CPU, and data storage, with an external keyboard and mouse.

Primary Uses: For all types of computing functions and information storage, including word processing, calculations, communications, and graphics.

Potential Evidence: Evidence is most commonly found in files that are stored on hard drives and storage devices and media. Examples are:

User-Created Files

User-created files may contain important evidence of criminal activity such as address books and database files that may prove criminal association, still or moving pictures that may be evi-dence of pedophile activity, and communications between crimi-nals such as by e-mail or letters. Also, drug deal lists may often be found in spreadsheets.

◆ Address books. ◆ E-mail files.

◆ Audio/video files. ◆ Image/graphics files.

◆ Calendars. ◆ Internet bookmarks/favorites.

◆ Database files. ◆ Spreadsheet files.

◆ Documents or text files.

Computer Monitor

(24)

User-Protected Files

Users have the opportunity to hide evidence in a variety of forms. For example, they may encrypt or password-protect data that are important to them. They may also hide files on a hard disk or within other files or deliberately hide incriminating evidence files under an innocuous name.

◆ Compressed files. ◆ Misnamed files.

◆ Encrypted files. ◆ Password-protected files.

◆ Hidden files. ◆ Steganography.

Evidence can also be found in files and other data areas created as a routine function of the computer’s operating system. In many cases, the user is not aware that data are being written to these areas. Passwords, Internet activity, and temporary backup files are examples of data that can often be recovered and examined.

Note: There are components of files that may have evidentiary value including the date and time of creation, modification, dele-tion, access, user name or identificadele-tion, and file attributes. Even turning the system on can modify some of this information.

Computer-Created Files

◆ Backup files. ◆ Log files.

◆ Configuration files. ◆ Printer spool files.

◆ Cookies. ◆ Swap files.

◆ Hidden files. ◆ System files.

◆ History files. ◆ Temporary files.

Other Data Areas

Port Replicator Docking Station Server ◆ Bad clusters.

◆ Computer date, time, and password. ◆ Deleted files. ◆ Free space. ◆ Hidden partitions. ◆ Lost clusters. ◆ Metadata. ◆ Other partitions. ◆ Reserved areas. ◆ Slack space. ◆ Software registration information. ◆ System areas. ◆ Unallocated space.

(25)

Components

Central Processing Units (CPUs)

Description: Often called the “chip,” it is a microprocessor

locat-ed inside the computer. The microprocessor is locatlocat-ed in the main computer box on a printed circuit board with other electronic components.

Primary Uses: Performs all arithmetic and logical functions in

the computer. Controls the operation of the computer.

Potential Evidence: The device itself may be evidence of

component theft, counterfeiting, or remarking.

Memory

Description: Removable circuit board(s) inside the computer.

Information stored here is usually not retained when the computer is powered down.

Primary Uses: Stores user’s programs and data while computer

is in operation.

Potential Evidence: The device itself may be evidence of

component theft, counterfeiting, or remarking.

Access Control Devices

Smart Cards, Dongles, Biometric Scanners

Description: A smart card is a small handheld device that

con-tains a microprocessor that is capable of storing a monetary value, encryption key or authentication information (password), digital certificate, or other information. A dongle is a small device that plugs into a computer port that contains types of information similar to information on a smart card. A biometric scanner is a device connected to a computer system that recognizes physical characteristics of an individual (e.g., fingerprint, voice, retina).

PIIIXeon Processor PIII Processor G4 Processor Memory CPUs Smart Card Parallel Dongle Biometric Scanner

(26)

Primary Uses: Provides access control to computers or programs or functions as an encryption key.

Potential Evidence: Identification/authentication information of the card and the user, level of access, configurations, permissions, and the device itself.

Answering Machines

Description: An electronic device that is part of a telephone or connected between a telephone and the landline connection. Some models use a magnetic tape or tapes, while others use an electronic (digital) recording system.

Primary Uses: Records voice messages from callers when the called party is unavailable or chooses not to answer a telephone call. Usually plays a message from the called party before record-ing the message.

Note: Since batteries have a limited life, data could be lost if they fail. Therefore, appropriate personnel (e.g., evidence custodian, lab chief, forensic examiner) should be informed that a device powered by batteries is in need of immediate attention.

Potential Evidence: Answering machines can store voice messages and, in some cases, time and date information about when the message was left. They may also contain other voice recordings.

Digital Cameras

Description: Camera, digital recording device for images and video, with related storage media and conversion hardware capable of transferring images and video to computer media.

USB Dongles Parallel

Dongle Answering Machine QuickCam ◆ Caller identification information. ◆ Deleted messages.

◆ Last number called.

◆ Memo.

◆ Phone numbers and names.

(27)

Primary Uses: Digital cameras capture images and/or video in a digital format that is easily transferred to computer storage media for viewing and/or editing.

Potential Evidence:

◆ Images. ◆ Time and date stamp.

◆ Removable cartridges. ◆ Video.

◆ Sound.

Handheld Devices (Personal Digital

Assistants [PDAs], Electronic

Organizers)

Description: A personal digital assistant (PDA) is a small device that can include computing, telephone/fax, paging, networking, and other features. It is typically used as a personal organizer. A handheld computer approaches the full functionality of a desktop computer system. Some do not contain disk drives, but may con-tain PC card slots that can hold a modem, hard drive, or other device. They usually include the ability to synchronize their data with other computer systems, most commonly by a connection in a cradle (see photo). If a cradle is present, attempt to locate the associated handheld device.

Primary Uses: Handheld computing, storage, and communica-tion devices capable of storage of informacommunica-tion.

Potential Evidence: Snappy Device (video capture device) Video Phone Digital Cameras Casio PDA Palm Cradle Palm in Cradle PDAs ◆ Address book. ◆ Appointment calendars/ information. ◆ Documents. ◆ E-mail. ◆ Handwriting. ◆ Password. ◆ Phone book. ◆ Text messages. ◆ Voice messages.

(28)

Hard Drives

Description: A sealed box containing rigid platters (disks) coated with a substance capable of storing data magnetically. Can be encountered in the case of a PC as well as externally in a stand-alone case.

Primary Uses: Storage of information such as computer programs, text, pictures, video, multimedia files, etc.

Potential Evidence: See potential evidence under computer systems.

Memory Cards

Description: Removable electronic storage devices, which do not lose the information when power is removed from the card. It may even be possible to recover erased images from memory cards. Memory cards can store hundreds of images in a credit card-size module. Used in a variety of devices, including computers, digital cameras, and PDAs. Examples are memory sticks, smart cards, flash memory, and flash cards.

Primary Uses: Provides additional, removable methods of storing and transporting information.

Potential Evidence: See potential evidence under computer systems. 2.5-inch IDE Hard Drive (laptop) 5.25-inch IDE Hard Drive (Quantum Bigfoot) Removable Hard Drive Tray Hard Drive External Hard Drive Pack

3.5-inch IDE Hard Drive w/ cover

removed Microdrive 2.5-inch IDE

Hard Drive w/ cover removed Memory Stick Flash Card in PCMCIA Adaptor Floppy Disk Adaptor/ Memory Stick Compact Flash Card Memory Cards Smart Media Card Smart Media Floppy

(29)

Modems

Description: Modems, internal and external (analog, DSL, ISDN, cable), wireless modems, PC cards.

Primary Uses: A modem is used to facilitate electronic communi-cation by allowing the computer to access other computers and/or networks via a telephone line, wireless, or other communications medium.

Potential Evidence: The device itself.

Network Components

Local Area Network (LAN) Card or Network

Interface Card (NIC)

Note: These components are indicative of a computer network. See discussion on network system evidence in chapter 5 before handling the computer system or any connected devices.

Description: Network cards, associated cables. Network cards also can be wireless.

Primary Uses: A LAN/NIC card is used to connect computers. Cards allow for the exchange of informa-tion and resource sharing.

Potential Evidence: The device itself, MAC (media access control) access address.

Routers, Hubs, and Switches

Description: These electronic devices are used in networked computer systems. Routers, switches, and hubs provide a means of connecting different computers or networks.

Internal Network Interface Card Wireless Network Interface Card Wireless PCMCIA Card PCMCIA Network Interface Card Router Ethernet Hub External Modem Internal Modem PCMCIA Modem External Modem Ricochet Modem Wireless Modem 10Mbps or 10/100Mbps Autosensing Ethernet Hub Power Adapter Power Adapter NBG600 Cable or xDSL Standard RJ-45

(30)

Primary Uses: Equipment used to distribute and facilitate the distribution of data through networks.

Potential Evidence: The devices them-selves. Also, for routers, configuration files.

Servers

Description: A server is a computer that provides some service for other computers connected to it via a network. Any computer, including a laptop, can be configured as a server.

Primary Uses: Provides shared resources such as e-mail, file storage, Web page services, and print services for a network.

Network Cables and Connectors

Description: Network cables can be different colors, thicknesses, and shapes and have different connectors, depending on the components they are connected to.

Primary Uses: Connects components of a computer network. Potential Evidence: The devices themselves.

Wireless Hub Server RJ-11 Phone Cable RJ45 LAN Cable & RJ11 Phone Cable SCSI Cable Parallel Port Printer Cable Centronics Printer Cable

SCSI Cable Ultrawide SCSI Cable PS2 Cable Serial Cable & Mouse PS2 Cable With PS2 AT Adapter USB Cable With A&B Connectors Audio/Visual Cables Network Cable Dongle & PC Network Card Cable or xDSL Modem CableFREE ISA/PCI Card in a Desktop CableFREE PC Card in a Notebook NCF600 CableFREE NetBlaster NBG600 Standard RJ-45 Ethernet Cable

(31)

Pagers

Description: A handheld, portable electronic device that can con-tain volatile evidence (telephone numbers, voice mail, e-mail). Cell phones and personal digital assistants also can be used as paging devices.

Primary Uses: For sending and receiving electronic messages, numeric (phone numbers, etc.) and alphanumeric (text, often including e-mail).

◆ Address information. ◆ Text messages.

◆ E-mail. ◆ Voice messages.

◆ Phone numbers.

Printers

Description: One of a variety of printing systems, including ther-mal, laser, inkjet, and impact, connected to the computer via a cable (serial, parallel, universal serial bus (USB), firewire) or accessed via an infrared port. Some printers contain a memory buffer, allowing them to receive and store multiple page documents while they are printing. Some models may also contain a hard drive.

Primary Uses: Print text, images, etc., from the computer to paper. Potential Evidence: Printers may maintain usage logs, time and date information, and, if attached to a network, they may store network identity information. In addition, unique characteristics may allow for identification of a printer.

RIM Pager Single Pager Pagers Multifunction Device Inkjet Printer Inkjet Printer ◆ Documents. ◆ Hard drive. ◆ Ink cartridges. ◆ Network identity/ ◆ Superimposed images on the roller.

◆ Time and date stamp.

(32)

Removable Storage Devices and Media

Description: Media used to store electrical, magnetic, or digital information (e.g., floppy disks, CDs, DVDs, cartridges, tape).

Primary Uses: Portable devices that can store computer programs, text, pictures, video, multimedia files, etc.

New types of storage devices and media come on the market frequently; these are a few examples of how they appear.

Scanners

Description: An optical device connected to a computer, which passes a document past a scanning device (or vice versa) and sends it to the computer as a file.

Primary Uses: Converts documents, pictures, etc., to electronic files, which can then be viewed, manipulated, or transmitted on a computer.

Potential Evidence: The device itself may be evidence. Having the capability to scan may help prove illegal activity (e.g., child pornography, check fraud, counterfeiting, identity theft). In addi-tion, imperfections such as marks on the glass may allow for unique identification of a scanner used to process documents.

Syquest Cartridge External CD-ROM Drive Recordable CD

Jaz Cartridge Zip Cartridge DAT Tape Reader Tape Drive LS-120 Floppy Disk External Media Disk Drive DLT Tape Cartridge DVD RAM Cartridge External Zip Drive 8mm and 4mm Tapes 3.5-inch Floppy Diskette Flatbed Scanner Sheetfed Scanner Handheld Scanner

(33)

Telephones

Description: A handset either by itself (as with cell phones), or a remote base station (cordless), or connected directly to the land-line system. Draws power from an internal battery, electrical plug-in, or directly from the telephone system.

Primary Uses: Two-way communication from one instrument to another, using land lines, radio transmission, cellular systems, or a combination. Phones are capable of storing information.

Potential Evidence: Many telephones can store names, phone numbers, and caller identification information. Additionally, some cellular telephones can store appointment information, receive elec-tronic mail and pages, and may act as a voice recorder.

◆ Appointment calendars/information.◆ Password.

◆ Caller identification information. ◆ Phone book.

◆ Electronic serial number. ◆ Text messages.

◆ E-mail. ◆ Voice mail.

◆ Memo. ◆ Web browsers.

Miscellaneous Electronic Items

There are many additional types of electronic equip-ment that are too numerous to be listed that might be found at a crime scene. However, there are many non-traditional devices that can be an excellent source of investigative information and/or evidence. Examples are credit card skimmers, cell phone cloning equip-ment, caller ID boxes, audio recorders, and Web TV. Fax machines, copiers, and multifunction machines may have internal storage devices and may contain information of evidentiary value.

REMINDER: The search of this type of evidence may require a search warrant. See note in the Introduction, page 7.

Cordless Cellular Phones Cellular Phone Cloning Equipment Cellular Phone Cloning Equipment Caller ID Box

(34)

Copiers

Some copiers maintain user access records and history of copies made. Copiers with the scan once/print many feature allow docu-ments to be scanned once into memory, and then printed later.

◆ Documents. ◆ User usage log.

◆ Time and date stamp.

Credit Card Skimmers

Credit card skimmers are used to read information contained on the magnetic stripe on plastic cards.

Potential Evidence: Cardholder information con-tained on the tracks of the magnetic stripe includes:

◆ Card expiration date. ◆ User’s address.

◆ Credit card numbers. ◆ User’s name.

Digital Watches

There are several types of digital watches available that can func-tion as pagers that store digital messages. They may store addi-tional information such as address books, appointment calendars, e-mail, and notes. Some also have the capability of synchronizing information with computers.

◆ Address book. ◆ Notes.

◆ Appointment calendars. ◆ Phone numbers.

◆ E-mail.

Facsimile Machines

Facsimile (fax) machines can store preprogrammed phone numbers and a history of transmitted and received documents. In addition, some contain memory allowing multiple-page faxes to be scanned in and sent at a later time as well as allowing incoming faxes to be held in memory and printed later. Some may store hundreds of pages of incoming and/or outgoing faxes.

Copier Credit Card Skimmer Credit Card Skimmer Credit Card Skimmer— Laptop Fax Machine

(35)

◆ Documents. ◆ Phone numbers.

◆ Film cartridge. ◆ Send/receive log.

Global Positioning Systems (GPS)

Global Positioning Systems can provide information on previous travel via destination information, way points, and routes. Some automatically store the previous destinations and include travel logs.

◆ Home. ◆ Way point coordinates.

◆ Previous destinations. ◆ Way point name.

(36)

Investigative Tools and Equipment

Principle: Special tools and equipment may be required to collect electronic evidence. Experience has shown that advances in tech-nology may dictate changes in the tools and equipment required.

Policy: There should be access to the tools and equipment neces-sary to document, disconnect, remove, package, and transport electronic evidence.

Procedure: Preparations should be made to acquire the equip-ment required to collect electronic evidence. The needed tools and equipment are dictated by each aspect of the process: documenta-tion, collecdocumenta-tion, packaging, and transportation.

Tool Kit

Departments should have general crime scene processing tools (e.g., cameras, notepads, sketchpads, evidence forms, crime scene tape, markers). The following are additional items that may be useful at an electronic crime scene.

Documentation Tools

◆ Cable tags.

◆ Indelible felt tip markers.

◆ Stick-on labels.

Disassembly and Removal Tools

A variety of nonmagnetic sizes and types of:

◆ Flat-blade and Philips-type screwdrivers.

◆ Hex-nut drivers.

◆ Needle-nose pliers.

◆ Secure-bit drivers.

◆ Small tweezers.

(37)

◆ Specialized screwdrivers (manufacturer-specific, e.g., Compaq, Macintosh).

◆ Standard pliers.

◆ Star-type nut drivers.

◆ Wire cutters.

Package and Transport Supplies

◆ Antistatic bags.

◆ Antistatic bubble wrap.

◆ Cable ties.

◆ Evidence bags.

◆ Evidence tape.

◆ Packing materials (avoid materials that can produce static

electricity such as styrofoam or styrofoam peanuts).

◆ Packing tape.

◆ Sturdy boxes of various sizes.

Other Items

Items that also should be included within a department’s tool kit are:

◆ Gloves.

◆ Hand truck.

◆ Large rubber bands.

◆ List of contact telephone numbers for assistance.

◆ Magnifying glass.

◆ Printer paper.

◆ Seizure disk.

◆ Small flashlight.

(38)

Securing and Evaluating the

Scene

Principle: The first responder should take steps to ensure the safety of all persons at the scene and to protect the integrity of all evidence, both traditional and electronic.

Policy: All activities should be in compliance with departmental policy and Federal, State, and local laws. (Additional resources are referenced in appendix B.)

Procedure: After securing the scene and all persons on the scene, the first responder should visually identify potential evidence, both conventional (physical) and electronic, and determine if per-ishable evidence exists. The first responder should evaluate the scene and formulate a search plan.

Secure and evaluate the scene:

◆ Follow jurisdictional policy for securing the crime scene. This

would include ensuring that all persons are removed from the immediate area from which evidence is to be collected. At this point in the investigation do not alter the condition of any elec-tronic devices: If it is off, leave it off. If it is on, leave it on.

◆ Protect perishable data physically and electronically.

Perishable data may be found on pagers, caller ID boxes, electronic organizers, cell phones, and other similar devices. The first responder should always keep in mind that any device containing perishable data should be immediately secured, documented, and/or photographed.

◆ Identify telephone lines attached to devices such as modems

and caller ID boxes. Document, disconnect, and label each telephone line from the wall rather than the device, when pos-sible. There may also be other communications lines present for LAN/ethernet connections. Consult appropriate

personnel/agency in these cases.

(39)

Keyboards, the computer mouse, diskettes, CDs, or other compo-nents may have latent fingerprints or other physical evidence that should be preserved. Chemicals used in processing latent prints can damage equipment and data. Therefore, latent prints should be collected after electronic evidence recovery is complete.

Conduct preliminary interviews:

◆ Separate and identify all persons (witnesses, subjects, or

oth-ers) at the scene and record their location at time of entry.

◆ Consistent with departmental policy and applicable law, obtain

from these individuals information such as:

❖ Owners and/or users of electronic devices found at the

scene, as well as passwords (see below), user names, and Internet service provider.

❖ Passwords. Any passwords required to access the system,

software, or data. (An individual may have multiple pass-words, e.g., BIOS, system login, network or ISP, application files, encryption pass phrase, e-mail, access token, sched-uler, or contact list.)

❖ Purpose of the system.

❖ Any unique security schemes or destructive devices.

❖ Any offsite data storage.

❖ Any documentation explaining the hardware or software

(40)

Documenting the Scene

Principle: Documentation of the scene creates a permanent historical record of the scene. Documentation is an ongoing process throughout the investigation. It is important to accurately record the location and condition of computers, storage media, other electronic devices, and conventional evidence.

Policy: Documentation of the scene should be created and main-tained in compliance with departmental policy and Federal, State, and local laws.

Procedure: The scene should be documented in detail. Initial documentation of the physical scene:

◆ Observe and document the physical scene, such as the position

of the mouse and the location of components relative to each other (e.g., a mouse on the left side of the computer may indi-cate a left-handed user).

◆ Document the condition and location of the computer system,

including power status of the computer (on, off, or in sleep mode). Most computers have status lights that indicate the computer is on. Likewise, if fan noise is heard, the system is probably on. Furthermore, if the computer system is warm, that may also indicate that it is on or was recently turned off.

◆ Identify and document related electronic components that will

not be collected.

◆ Photograph the entire scene to create a visual record as noted

by the first responder. The complete room should be recorded with 360 degrees of coverage, when possible.

◆ Photograph the front of the computer as well as the monitor

screen and other components. Also take written notes on what appears on the monitor screen. Active programs may require videotaping or more extensive documentation of monitor screen activity.

(41)

Note: Movement of a computer system while the system is run-ning may cause changes to system data. Therefore, the system should not be moved until it has been safely powered down as described in chapter 5.

◆ Additional documentation of the system will be performed

(42)

Evidence Collection

REMINDER: The search for and collection of evi-dence at an electronic crime scene may require a search warrant. See note in the Introduction, page 7.

Principle: Computer evidence, like all other evidence, must be handled carefully and in a manner that preserves its evidentiary value. This relates not just to the physical integrity of an item or device, but also to the electronic data it contains. Certain types of computer evidence, therefore, require special collection, packag-ing, and transportation. Consideration should be given to protect data that may be susceptible to damage or alteration from electro-magnetic fields such as those generated by static electricity, mag-nets, radio transmitters, and other devices.

Policy: Electronic evidence should be collected according to departmental guidelines. In the absence of departmental guide-lines outlining procedures for electronic evidence collection, the following procedures are suggested.

Note: Prior to collection of evidence, it is assumed that locating and documenting has been done as described in chapters 3 and 4. Recognize that other types of evidence such as trace, biological, or latent prints may exist. Follow your agency’s protocol regard-ing evidence collection. Destructive techniques (e.g., use of fin-gerprint processing chemicals) should be postponed until after electronic evidence recovery is done.

Nonelectronic Evidence

Recovery of nonelectronic evidence can be crucial in the investi-gation of electronic crime. Proper care should be taken to ensure that such evidence is recovered and preserved. Items relevant to subsequent examination of electronic evidence may exist in other forms (e.g., written passwords and other handwritten notes, blank pads of paper with indented writing, hardware and software man-uals, calendars, literature, text or graphical computer printouts, and photographs) and should be secured and preserved for future

(43)

analysis. These items frequently are in close proximity to the computer or related hardware items. All evidence should be iden-tified, secured, and preserved in compliance with departmental policies.

Stand-Alone and Laptop Computer

Evidence

CAUTION: Multiple computers may indicate a computer network. Likewise, computers located at businesses are often networked. In these situations, specialized knowledge about the system is required to effectively recover evidence and reduce your potential for civil liability. When a

comput-er network is encountcomput-ered, contact the forensic computcomput-er expert in your department or outside consultant identified by your department for assistance. Computer systems in a

complex environment are addressed later in this chapter. A “stand-alone” personal computer is a computer not connected to a network or other computer. Stand-alones may be desktop machines or laptops.

Laptops incorporate a computer, monitor, keyboard, and mouse into a single portable unit. Laptops differ from other computers in that they can be powered by electricity or a battery source. Therefore, they require the removal of the battery in addition to stand-alone power-down procedures.

If the computer is on, document existing conditions and call your expert or consultant. If an expert or consultant is not available, continue with the following procedure:

Procedure:

After securing the scene per chapter 3, read all steps below before taking any action (or evidentiary data may be altered). a. Record in notes all actions you take and any changes that you

observe in the monitor, computer, printer, or other peripherals that result from your actions.

b. Observe the monitor and determine if it is on, off, or in sleep mode. Then decide which of the following situations applies and follow the steps for that situation.

(44)

Situation 1: Monitor is on and work product and/or desktop is visible.

1. Photograph screen and record information displayed. 2. Proceed to step c.

Situation 2: Monitor is on and screen is blank (sleep mode) or screen saver (picture) is visible.

1. Move the mouse slightly (without pushing buttons). The screen should change and show work product or request a password.

2. If mouse movement does not cause a change in the screen, DO NOT perform any other keystrokes or mouse operations.

3. Photograph the screen and record the information displayed. 4. Proceed to step c.

Situation 3: Monitor is off. 1. Make a note of “off” status.

2. Turn the monitor on, then determine if the monitor status is as described in either situation 1 or 2 above and follow those steps. c. Regardless of the power state of the computer (on, off, or sleep

mode), remove the power source cable from the computer— NOT from the wall outlet. If dealing with a laptop, in addition to removing the power cord, remove the battery pack. The bat-tery is removed to prevent any power to the system. Some lap-tops have a second battery in the multipurpose bay instead of a floppy drive or CD drive. Check for this possibility and remove that battery as well.

d. Check for outside connectivity (e.g., telephone modem, cable, ISDN, DSL). If a telephone connection is present, attempt to identify the telephone number.

e. To avoid damage to potential evidence, remove any floppy disks that are present, package the disk separately, and label the package. If available, insert either a seizure disk or a blank floppy disk. Do NOT remove CDs or touch the CD drive. f. Place tape over all the drive slots and over the power connector. g. Record make, model, and serial numbers.

h. Photograph and diagram the connections of the computer and the corresponding cables.